RSSMicrosoft: The IE threat is real, and so is the fix
By Scott M. Fulton, III | Published December 17, 2008, 11:30 AM
Though it remains uncertain if anyone has actually been affected by an Internet Explorer browser flaw that has made national news headlines, Microsoft's tactic today is to treat it as though it's real, and respond the same way.
In a statement to BetaNews early this morning, the author of a Microsoft security vulnerability team blog post yesterday said his team is aware of exploit sites that are trying -- if not yet successful -- to discover the exploit for a problem that the company discovered in response to reports of an active exploit in the field.
"Unfortunately, there are a bunch of active exploit sites right now attempt to exploit Windows XP and Windows Server 2003 users running IE7," the team's Jonathan Ness told BetaNews. "We don't make the decision to release out-of-cycle lightly and we will only do it for confirmed, unpatched vulnerabilities under active attack. If you're familiar with either the Metasploit framework or the milw0rm.com hacker Web site, both have proof-of-concept exploit code available that have been picked up by bad guys to install malware on unsuspecting browsers."
Ness updated us on the basic profile of the problem which is due to be addressed by an out-of-cycle patch, which is still scheduled for distribution early this afternoon, East Coast time. The company's initial security bulletin advised workarounds which centered around ActiveX controls, which led many -- including BetaNews -- to believe that IE's original system for enabling remote code execution, was at the heart of the problem.
But since that time, new information had prompted Microsoft and third-party security companies to back away from that initial profile. As it turns out, today's out-of-cycle patch, Ness told us this morning, will not address an ActiveX-related issue, but rather a related issue which security firm Secunia had tried to explain in an early bulletin of its own.
"This vulnerability is actually not related to ActiveX controls leaving code in memory," Ness wrote. "This vulnerability is a very real memory corruption issue in the way MSHTML.dll parses XML-based data-binding objects."
BETACHECK
For more:
- Binding HTML Elements to XML Data. Excerpt from the book Sams Teach Yourself XML in 21 Days by Stephen Holzner, published by Sams in October 2003.
The MSHTML dynamic link library is indeed responsible for exposing COM interfaces to ActiveX controls; over the years, Microsoft's multitude of fixes to ActiveX-related security flaws have directly patched this library. But one of its overall purposes is to help bind graphic objects that appear in Web pages to data objects in memory. ActiveX controls are one way to achieve this kind of binding; but more recently, data providers such as ADO.NET have enabled MSHTML to act as a data source object (DSO) for data tables that can be expressed in HTML or XML.
For XML-based binding, developers add elements to their HTML pages that list explicitly where the XML for bound data begins and ends. These elements are referred to as XML data islands; and it is here, according to Ness, where exploitation is a possibility. ActiveX could be involved, but it doesn't have to be; and in this particular instance, apparently, it is not ActiveX that is at the center of the danger.
Ness advises IT departments not yet implementing the patch that they can avoid the chance of exploitation by disabling XML island functionality in their browsers.
"We initially considered suggesting customers unregister or ACL msxml3.dll to block attempts to exploit the vulnerability," Ness wrote on his team's blog yesterday. "Blocking msxml3.dll system-wide turned out to break lots of stuff. However, disabling only the XML Data Island CLSID is enough to prevent msxml3.dll from loading only for IE for known attacks. Also, from our testing, it appears that not very many Web sites use the XML Data Island functionality, so this is our least intrusive workaround...and it works on all supported platforms."
1:15 pm EST December 17, 2008 - When we asked Microsoft's Jonathan Ness for clarification of whether Microsoft believed there were active attempts to exploit the problem that's the subject of today's out-of-cycle fix, he responded that his team now has reason to believe that one Windows user out of every 500 may have been exposed to a Web site which may contain real, active, non-imaginary, verifiable exploits for this problem.
"I am telling you that there are active exploits and real Windows users are unfortunately being infected with malware," Ness told BetaNews this afternoon. "I think probably the most public Microsoft acknowledgment of this has come from our malware protection center blog. If you read the top two postings there, you'll see a detailed breakdown of exploits by detection name, by country of impacted user, and even a startling statistic: They estimate 0.2% of Microsoft Windows users worldwide have been exposed to websites containing exploits for this vulnerability. Each of those users running IE7 on either Windows XP or Windows Server 2003 will have gotten infected, unfortunately."
Usually, Microsoft's PR teams are told to mitigate the damage by emphasizing the limits of its possible spread, he went on to say. "But once every couple years when one of these 'big ones' hit, we are quick to point out that unfortunately real users are getting infected."
We then asked Ness whether he felt it was fair for the press, including major TV outlets, to characterize this problem as an Internet Explorer "design flaw."
"The press I have seen call it a 'coding flaw,'" he responded. "Not sure if that is splitting hairs but I think of 'design flaws' as 'flaws in design' -- that is, poorly thought out design. Contrast that with 'coding flaws' where the design was solid and an engineer who implemented the design perfectly while using safe coding practices would not have introduced any vulnerabilities. This was a case of poor memory handling. The fix was made to not accidentally reference freed memory. The original design of data binding objects remains.
"I don't see this as a part of an evolution of malicious exploitation about preventative coding," Ness continued. "It was just sloppy memory management."
There's no mention as to whether or not this "exploit" is related to the (as of this writing, December 17, 2008) relationship between IE7 and IE8 Beta browsers and possibly Windows Mail or Outlook Express.
The last exploit I knew of caused multiple tabs by the dozens to open in IE8 Beta, and eventually a new browser would open, suggesting a tab limit per one browser.
Task manager would not work either as planned with Windows Vista Home Premium SP1.
Inevitably, this is a contrasted way of exposing potential mix and match ups for a common good but not for the innocent.
If it is all possible to elaborate, does this effect just Windows XP and or Vista?
The exploit I described happens when visiting a popular social network site and a users easy to program (for the novice) page.
Anyone else care to elaborate?
W. K. Mahler
"Merry Christmas To You"
Free streaming audio,
www.mahlers.com
Score: 0
|what is concerning is the generalization of the information provided to the public.
for instance, what are these websites with malicious codes attributing to the commotion and hysteria?
why does it seem to be an effort to protect the identity of such websites?
sure, running a tool to remove the malicious code is helpful after you get infected and your personal data has been stolen, but where is to the tool that warns or prevent users from those websites?
further, if websites have been identified as willfully malicious, then why are they still in operation?
Score: 0
|I like what Microsoft is doing with IE since Version 6, and even though we get these scary bugs every once in awhile, it's not enough to make me stop using it.
Score: 0
|If a security bug were to make someone stop using software, then they would have to revert back to a pre-internet DOS install.
Score: 0
|Only on the PC!
Score: 0
|umm, no... there was rock solid OS/2, and properly administrated and maintained *nix platforms as well
Score: 0
|Yawn....
Just get the fix, regardless of which browser you use.
Is it really that complicated?
In other words, just use the toiletpaper to wipe your @ss and quit worrying about which brand of toilet paper your neighbor is using!
Damn the fanboy crap gets old.
Score: 0
|Did someone hijack your account? You manage to make perfect sense and not even a hint of being desperately erudite...
Score: 0
|And now we see why toilet paper is useful.
What is an analogy without an object lesson that shows up right on cue!?
Score: 0
|Then again toilet paper is a much more complex issue rooted in cultural and environmental context. Either way doesn't stop you smearing crap all over the site.
Score: 0
|Patch released, pretty darn quickly too. Just installed, rebooted, and done. Very nicely played Microsoft. I commend you
Score: 0
|It's a marketing problem, not a technical problem! Or is it a feature? I forget.
Makes you wonder whether it's time to give up on IE and [permanently] move on to another browser. Since IE is a repeat offender, how many more strikes do you give it before you give up?
Score: 0
|Would that be to Firefox which today has released an update to fix 8 security holes, 3 of which, according to Mozilla "could have been “used to run attacker code and install software, requiring no user interaction beyond normal browsing." That makes them more serious than the IE flaws.
Score: 0
|Perhaps you'll try Opera or Firefox, both had to patch their ailing software today. Appears browsing with them was even more dodgy than staying with good old IE7.
Score: 0
|Opera patched it yesterday, but carry on :)
Score: 0
|The Firefox bugs were only exploitable in theory - no actual Firefox users were harmed. Indeed, you can browse the internet and go to any website with Firefox 1.0 now and you will not get any malware / viruses. The IE bug, on the other hand, was actually exploited in reality. Millions of users have in real life, because of the IE bug, had malware get on their computer even though they were fully current on patches.
(Some actual Firefox bugs have existed that allowed the stealing of saved passwords, but no Firefox user has ever gotten malware except through bugs in plugins like Flash or Java).
Score: 0
|Wrong, do a search... look for exploiting Add-Ons for Firefox and that argument is blown out of the water. Mozilla had to change how their browser Add-Ons are checked for security...after Users were "hit"...then there's this "little",article found it most enlightening seeing how it's what I have been telling folks for a long time...
http://tech.yahoo.com/ne...curitychiefcallsitquits
Did she say "impossible???"....I think she did.
It's just super easy to pick on Internet Explorer because it's the "easy kid" on the old block you should worry less about IE and more about "Chrome" it's what's going to gobble up Firefox's market gains Google is already mobilized to grab its shares and watch what happens. "The parent is pissed at his bas**** child and likes his own better". (Chrome) Watch what happens....ha ha ha.
Gee was this crap blown all out of proportion one day before Microsoft released the patch...I could see if they had been talking about it for weeks but no it had barely been a week. It was on TV...oh the flamers...ha ha ha.
Score: 0
|whoops-a-daisy, spot on. Confusing little blighter of late ain't it, seem to remember it was fixed a couple of weeks back, and then again the week prior. It's always in the workshop being sorted of late, can't call it the fastest any longer, can't call it the safest any more, can't really call it anything which is a pity, but I'll bet the next beta will get an "Opera Rocks" from some dude or other on these forums.
Score: 0
|Ya.. the real solution is safe surfing is NOT being on the internet. NO OS is safe and no software is bug free. Even OSX(FreeBSD) that has been around for ever.
Score: 0
|Switching to another browser is only half of the solution. Switching to another OS like Mac OS X is the complete solution.
Score: 0
|you sir, are a moron
Score: -1
|Only good about a mac is they burn faster when you set them on fire. They have 13-14% marketshare.. Only thing keeping mac going is the Ipod sales.
Just run your OS lean, understand WHAT your downloading, and stop looking at your computer as an appliance.
Score: 0
|Eat any good books on English lately?
Score: 0
|Switching to another planet should make you safe enough too.
Get real, Macboy.
Score: 0
|you're a ****ing idiot, seriously
Score: 0
|With all that recession looming what choice is there but going lean... ;-)
Score: 0
|Don't you ever get tired of being a stupid fanboy troll? Does that really entertain you, or are you so ignorant you actually believe you are converting people? Even if you were ( and you're not) why do you even care what other people use? Get a life, seriously.
Score: 0
|"and stop looking at your computer as an appliance."
You must be confusing it with Steely Dan.
A computer is nothing but a tool - an appliance.
But your obsession accounts for all of the wacko ranting about platforms that so many claim not to care about.
Score: 0
|And don't forget that Steve Jobs is missing too!
Score: 0
|Best rule ... don't feed the trolls.
Score: 0
|I'm sorry but I don't speak ebonics or retard.
Score: 0
|